A new variant of the “I Love You” virus, in the wild since Tuesday, has some security experts worried — not because the worm is terribly destructive, but because copycats may use it as the roadmap for creation of more dangerous versions.
The virus, known as VBS/LoveLetter.bd, has been rated low to medium risk by a number of security companies. It’s aliases include DUNpws.bo, Loveletter.ad, resume.txt.vbs, Trojan.PWS.Hooker.24.c, VBS/Contract, VBS/Lovelet-BD, and VBS/Resume.A.Worm.
Based loosely on May’s VBS/Loveletter worm, Loveletter.bd made its first appearance Tuesday night in Germany. It distributes itself via MAPI e-mail as “resume.txt.vbs” with the subject line “resume” and no body text. When the VBScript is run, it displays, in Notepad, the resume of a Swiss knowledge engineer. While the victim reads the resume, the script downloads a Trojan component via an FTP shell instruction and a script file. It also sends itself to other computers via MAPI e-mail. When the infected system is re-booted, the Trojan captures password and PIN information stored in the registry in the computers of online banking customers of Switzerland’s UBS.
The Trojan feature is only active if the user is running “UBS PIN,” software produced by the bank to automatically manage a customer’s electronic banking authorization information.
After the information is captured, the worm e-mails the file to three hard-coded e-mail recipients: ct102356@excite.com, acch01@netscape.net and deroha@mailcity.com.
Russia’s Kaspersky Lab said, “It should be highlighted that the Trojan component has been downloaded from the Web sites of several major governmental and educational establishments having no strict access policy to their content. Among these establishments are Michigan State University and the U.S. National Institutes of Health. Inadvertently, all users have full access to the public upload directory, which enables them not only to upload files, but also to download them. It is this breach that is exploited by the virus to prevent the author’s location from being revealed.”
The National Infrastructure Protection Center, a government agency charged with protecting the security of the nation’s computing infrastructure and based in FBI headquarters in Washington, D.C., has received two reports of the worm on U.S. sites. The agency confirmed that the FBI is investigating the virus outbreak.
“The anti-virus software industry has obtained a copy of the worm and is currently working on a DAT file for the virus,” the NIPC said. “The Loveletter variant can be detected as “New VBS” using VirusScan 4.5 with heuristics enabled.”
Finnish security company, F-Secure Corp. said it has heard of no cases where a user’s banking information has been compromised.
Mike Rothman, executive vice president of SHYM Technology, an e-business application security provider, said this particular virus is attacking only a very specific piece of code in a very specific community. However, he said the attack’s potential shouldn’t be overlooked.
“If you were to combine that specific attack with a very effective distribution mechanism, that ends up being a very potent combination.”
Rothman said the best way to mitigate the risk of this type of attack is a combination of common sense and technology. He recommended the use of strong passwords and use of digital certificates to authenticate executable scripts sent through e-mail. “Try not to leave your passwords all over the place,” he said. He added, “Most people have one or two or three passwords that they use in multiple places.”
He also said that businesses should create and enforce a security policy to give employees guidelines to deal with
e-mail. “There’s only so much the technology is going to do to solve this,” he said. “A lot of it continues to be common sense.”